Bug 1920001

Summary: Do not add '%' to group names already prefixed with '%' in IPA sudo rules
Product: Red Hat Enterprise Linux 8 Reporter: Alexey Tikhonov <atikhono>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.3CC: grajaiya, ipa-qe, jhrozek, ksiddiqu, lslebodn, mzidek, pbrezina, sorlov, ssidhaye, sssd-qe, sumenon, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-2.4.0-7.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 15:04:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Testrun Report none

Description Alexey Tikhonov 2021-01-25 14:26:32 UTC 
(this is to complement bz 871208)

When IPA allows to add AD users and groups directly to sudo rules (FreeIPA 4.9.1 or later), external groups will already have '%' prefix. Thus, we don't need to add additional '%'.

```
# ipa sudorule-show testrule --all --raw
  dn: ipaUniqueID=aa6aba2c-5f0d-11eb-9874-fa163e2c6cfa,cn=sudorules,cn=sudo,dc=ipa,dc=test
  cn: testrule
  ipaenabledflag: TRUE
  hostcategory: all
  externaluser: administrator
  ipasudorunasextusergroup: %domain admins
  ipaUniqueID: aa6aba2c-5f0d-11eb-9874-fa163e2c6cfa
  memberallowcmd: ipaUniqueID=6c5477ec-5bd3-11eb-98ec-fa163e2c6cfa,cn=sudocmds,cn=sudo,dc=ipa,dc=test
  objectClass: ipaassociation
  objectClass: ipasudorule

# ldbsearch -H /var/lib/sss/db/cache_ipa.test.ldb 'cn=testrule'
asq: Unable to register control with rootdse!
# record 1
dn: name=testrule,cn=sudorules,cn=custom,cn=ipa.test,cn=sysdb
cn: testrule
dataExpireTimestamp: 1611580019
name: testrule
objectClass: sudoRule
originalMemberCommand: ipaUniqueID=6c5477ec-5bd3-11eb-98ec-fa163e2c6cfa,cn=sud
 ocmds,cn=sudo,dc=ipa,dc=test
sudoCommand: ALL
sudoHost: ALL
sudoRunAsUser: %%domain admins
sudoUser: administrator
distinguishedName: name=testrule,cn=sudorules,cn=custom,cn=ipa.test,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals
```
Comment 2 Pavel Březina 2021-01-26 10:55:19 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/5476

* `master`
    * cd48ef5071741443e3b84e100a4d4d28e3578e4f - sudo runas: do not add '%' to external groups in IPA
Comment 5 Sudhir Menon 2021-01-29 15:41:11 UTC 
Created attachment 1752102 [details]
Testrun Report
Comment 10 errata-xmlrpc 2021-05-18 15:04:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1666